170 likes | 517 Views
The Banking Group Jeremy Attali Josh Gerdes William Kormos Matt Tjarks Basic Diagram Corporate Office Availability Availability is a basic of security. If it’s not available, then the customer may take their business elsewhere. Have 2 different Internet access
E N D
The Banking Group Jeremy Attali Josh Gerdes William Kormos Matt Tjarks
Corporate Office • Availability • Availability is a basic of security. • If it’s not available, then the customer may take their business elsewhere. • Have 2 different Internet access • 1 for the WebServer inside the DMZ • 1 for the employees who need an Internet connection • 2 Firewalls before accessing the secure network • This is to allow for greater availability in case of malfunction, Denial of Service (DoS) attacks, etc.
Corporate Office - DMZ • Integrity • Integrity is important so that you know unauthorized users did not change your data. • 1st Firewall - Webserver • Allows for the availability of an outside web presence through the DMZ, and protection of inside assets. • Keeps actual account data safe by allowing the web server to communicate requests to a database server further back
Corporate Office - DMZ • Firewall 2 - WebServer • Allows for IPSec (which is used to protect Confidentiality) from ATMs, so that the ATMs can directly access the account information needed. • Separate network to protect critical data • Allows for the account database information to be protected and separated from the rest of the network • If one machine is pwn3d, then the client data is still theoretically safe
Corporate Office – Secure Network • Firewall 1 & Router • 1st protection against possible attack from the Internet • Very strong policies • Firewall 2 and Switch • Separate network to protect critical data • Allows for the account database information to be protected and separated from the rest of the network • If one machine is pwn3d, then the client data is still theoretically safe
Corporate Office • Inside It All • Loan Department • Part of work is local, part is run in the data center • VPN connection to 3rd party provider • Teller Services • Workstations that connect to the Teller Services Server (TSS) in the Data Center. • Tellers can only access the TSS from their systems. • Data Center • Contains all critical servers • Etc
Corporate Office • 1st Firewall Rules • Pass IPSec packets to the 2nd router • Allow outside to webserver in the dmz in ssl http, otherwise, drop • Allow outside http to inside • Allow webserver in the dmz to the database server inside with encryption
Corporate Office • 2nd Firewall Rules • Allow teller services to access from the inside to dmz for account updates • Allow outside to dmz for webserver and atm changes to accounts • Allow http to travel through from outside to inside so employees have internet access
Branch Office • Firewall/Router • Allow IPSec to travel from the branch to the database for account updates • Allow http in to certain machines • Set up a VPN connection in the Loan Department to communicate with 3rd party providers • Have a secondary network set up in the DMZ for traveling employee auditors to have net access but not necessarily local net access
Demo • Router • Set up to simulate the first set of routers • Firewall • Set up like the first firewall • Webserver • Set up like a basic website that could be used to display account balance info • Database • Stores names and balances, very basic for demo purposes
Database Rules • Teller • Can read the database to look up customers • Has account balance write only • Cannot update balance if employee name matches account name • Branch President • Has account name write privileges • Useful if customer changes name for some reason • Has full read privileges • Can add or remove accounts • No balance update privileges • Bank President • Has read access to everything for audit purposes • No write access
Optional Wireless access • The idea • Let customers to have access to Internet inside the corporate or a branch office • Control the content • Filter traffic • The problem • We don’t want to open the connection to the entire world • Especially, we don’t want employees to have access to the wireless
Optional Wireless access • Some Solutions • Use MAC filtering • Easy to implement • Hard to control • Pain for customers • Use a 3rd party solution • Cisco Unified Wireless Network • Hard to implement • Provide good protection • Expensive